A wave of ransomware swept across Europe at an incredibly rapid clip Tuesday, grinding business to a halt at banks, airports, pharmaceutical companies, government offices, service providers, utilities and more, security researchers said.
Dubbed GoldenEye, a new variant of the Petrwrap/Petya ransomware, this attack is sneaking past traditional security defenses – according to The Hacker News, only 13 out of 61 anti-virus services are successfully detecting it – to load malware onto victims’ Windows machines and hold files for ransom unless the attackers are paid $300 in bitcoin.
Though the initial infection vector of the ransomware is currently unknown, researchers said it leverages the EternalBlue exploit to spread from one computer to another over the Microsoft Windows SMB protocol.
Researchers said that this new bit of ransomware is similar in many ways to WannaCry, which in May ensnared more than 200,000 machines in more than 150 countries to hold files for ransom and also spread via the EternalBlue exploit.
One striking difference between WannaCry and GoldenEye is how the two ransomware attacks use encryption.
WannaCry encrypted the infected files, while GoldenEye has two distinct layers of encryption: one that encrypts the files, and another that encrypts an infected machine’s entire file system, Bitdefender wrote.
"Just like Petya, it is particularly dangerous because it doesn't only encrypt files, it also encrypts the hard drive as well," Bogdan Botezatu, a senior threat analyst with Bitdefender, told CNET.
A tweet from a Kaspersky Lab researcher indicates that Kaspersky recovered a sample of the malware on June 18, suggesting it has been in the wild and infecting machines for more than a week.
The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp. pic.twitter.com/CHUYvsiQ08
— Costin Raiu (@craiu) June 27, 2017
Knowing What’s on Your Network
As GoldenEye quickly spread throughout Europe Tuesday morning and afternoon, researchers worked to uncover the initial infection vector and determine the source.
While the source of the infection is still unclear, that it went unnoticed for more than a week is a strong reminder of the importance of understanding what type of traffic is on your network.
Ransomware is sometimes spread via encrypted email messages containing Word and Excel files as attachments. This reinforces the need to decrypt and inspect Webmail and other secure email protocols to ensure attachments do not contain ransomware.
It’s also possible that GoldenEye infected machines through the use of nefarious encrypted traffic and went undetected.
According to A10 Networks customers, roughly 75 percent of their traffic is encrypted.
Yet at the Gartner Security and Risk Management Summit earlier this month, Gartner analysts said that by 2020, more than 60 percent of organizations will fail to properly decrypt traffic and miss most targeted web malware.
Encrypted traffic has become the biggest network blind spot, and enterprises need solutions that break and inspect encrypted traffic to uncover potential malware before it’s too late.
Failing to decrypt encrypted traffic in real-time for your security stack to analyze could be inviting ransomware or other malware onto your network.
A10 Thunder SSLi is a full-proxy solution that delivers real-time visibility into encrypted traffic to stop potential threats before they wreak havoc. Thunder SSLi decrypts traffic across all TCP ports and then enables third-party security devices to analyze all traffic without compromising performance. This gives security devices the chance to not only inspect and report any malicious file, but also, if necessary, to block the traffic in real-time and reset the communication channel. Thunder SSLi then re-encrypts the traffic and sends it to its intended destination. This eliminates the blind spot introduced by encrypted traffic.
For more on A10 Thunder SSLi, please check out this data sheet.